Cryptographic techniques constitute a major building block used in implementing all security services in computer networks. The basic function provided by a cryptographic system (or cryptosystem) is encipherment/decipherment. A cryptosystem comprises a pair of data transformations, encryption and decryption, respectively. Encryption is applied to a data item, known as plaintext, and generates a new (unintelligible) data item, ciphertext. Decryption, applied to ciphertext, results in the regeneration of the original plaintext. An encryption transformation uses as input both the plaintext data and an independent data value known as an encryption key. Similarly, a decryption transformation uses a decryption key. There are two basic types of cryptosystems--symmetric systems and public key (or asymmetric) systems. In symmetric cryptosystems the same key is used in the encryption and decryption transformations. A public key system has a key pair comprising a public key and a private key. One of these keys is used for encryption and the other for decryption. The public key does not need to be kept confidential.
To provide confidentiality, a symmetric cryptosystem works as follows. Two parties, A and B, want to communicate securely. By some process (e.g., by a secure channel or a trusted courier), they both obtain knowledge of a data value to be used as a key. The key is kept secret from all parties other than A and B. This enables either A or B to protect a message sent to the other party by encrypting it using the shared key. The other party can decrypt the message, but outside parties cannot. A well known symmetric cryptosystem is the U.S. Data Encryption Standard (DES).
In a public key cryptosystem there are two basic modes of operation, an encryption mode and an authentication mode. In the encryption mode, the data originator uses the public key for encryption and the recipient uses the private key of the same key pair for decryption. In this system, knowledge of the public key is not enough to deduce the private key. Therefore, the encryptor knows that data encrypted with a public key can only be decrypted by the holder of the corresponding private key. It is also possible to authenticate the encryptor in the authentication mode of operation. In this mode, the encryptor sends ciphertext encrypted by the private key of the key pair. The decryptor (recipient) then knows that data encrypted with the private key can be decrypted by anyone but could only have been sent by the holder of the private key. A cryptosystem of this kind which can operate in both encryption and authentication modes is known as a reversible public key cryptosystem.
One well known reversible public key cryptosystem is the RSA system described in U.S. Pat. No. 4,405,829 issued on Sep. 20, 1983 to Rivest et al. An RSA key pair is created as follows. An integer e is chosen, to be the public exponent. Two large prime numbers, p and q, are randomly selected, satisfying the conditions that (p-1) and e have no common divisors, and (q-1) and e have no common divisors. The public modulus is the value n=pq. The values of n and e together form the public key. A private exponent d is then determined, such that de-1 is divisible by both p-1 and q-1. The values of n and d (or p and q) together constitute the private key. The exponents have the important property that d functions as the inverse of e, that is, for any message M, (M.sup.e).sup.d mod n=M. The encryption process for message M involves calculating M.sup.e mod n. This can be carried out by anyone who knows the public key, i.e., n and e. Decryption of message M' involves calculating M'.sup.d mod n. This requires knowledge of the private key.
Cryptographic techniques all depend upon cryptographic keys. The keys must be made known in advance (distributed) to the parties that will use them and at the same time they must be protected as necessary against disclosure and/or substitution. Therefore key management, particularly key distribution, is very important. With purely symmetric systems, if the number of keys in a network is to be kept manageable, it is necessary to use trusted key centers for key distribution. For any two systems to communicate securely, they must share a master keying relationship with a key center. Furthermore, that key center must be on-line at the time secure communications are to be established. Distribution of public keys is simpler and does not require trusted on-line servers. Distribution of a public key does not require confidentiality, but it does require integrity--the user of a public key must be assured that it is the correct public key for the remote party concerned. For this reason, a public key is usually distributed in the form of a certificate which is digitally signed by a trusted certification authority. Certificates can then be distributed by unsecured means, such as a public directory service. A user of a certificate can be assured the certificate contents have not been changed, by verifying the certification authority signature. Installation of a new private/public key pair is straightforward; keys are typically generated within the owner system or a certification authority system. The only secure key transfer necessary is the transfer of one key from either the owner system to the certification authority system, or vice versa. These two systems are usually in the same network, and are typically close to one another.
In comparison with symmetric cryptosystems, public key systems have the advantage of simpler key distribution. However, countering this advantage, symmetric systems have the advantage of lower processing overheads. This makes symmetric systems particularly attractive for the bulk encryption/decryption of large volumes of data.
To benefit from all the advantages, a hybrid approach may be used. Symmetric cryptosystems are used for protecting bulk data and public key systems are used for distributing the symmetric keys (primary keys). For example, if a party A wants to establish a symmetric encryption key with party B, using RSA, it can do so as follows. Party A obtains a copy of party B's public key by obtaining the necessary certificate (possibly sent directly from Party B) and checking the certificate signature (or the signatures on a chain of certificates) to ensure the key is valid. Party A then generates a random symmetric key, and sends it to Party B, encrypted under Party B's public key. Only Party B can learn the symmetric key value, as only Party B knows the private key needed to decipher the message (the encrypted symmetric key value). Hence the two parties establish shared knowledge of the symmetric key, and can proceed to use it for protecting data communicated between them.
Another well known scheme of establishing a symmetric primary key is known as the Diffie-Hellman key derivation technique described in U.S. Pat. No. 4,200,770 issued Apr. 29, 1980 to Hellman et al. This works as follows. Parties A and B agree, in advance, upon a prime number p and a primitive element a in GF(p). Prime p should be such that p-1 has a large prime factor. This agreement could be on the basis of published system-wide constants, or could result from previous communications. As the first step in deriving a key, party A generates a random number x, 0.ltoreq.x.ltoreq.p-1. It then calculates a.sup.x mod p, and sends this value to party B. Party B generates a random number y, 0.ltoreq.y.ltoreq.p-1, calculates a.sup.y mod p, and sends this value to party A. Then party A calculates (a.sup.y).sup.x mod p and party B calculates (a.sup.x).sup.y mod p. Both parties now know a common key, K=a.sup.xy mod p.
In the traditional electronic mail encryption key distribution method, all message recipients have key pairs of a reversible public key cryptosystem (such as RSA). The message is encrypted using a symmetric cryptosystem, and copies of the encryption key, encrypted under the public key of each recipient, are attached to the message. Each legitimate recipient can recover the encryption key by decrypting the applicable copy of it with his private key. This method has several shortcomings. Firstly, the only access control model it can support is a simple list of authorized decryptors; other models are often required, such as specifying group membership, role membership, or security clearance. Secondly, every recipient must hold sensitive information, namely the private key of a key pair; compromise of any recipient's private key results in the compromise of all encrypted messages ever sent to that recipient. Thirdly, the encrypting system must obtain and verify, for every authorized recipient, a public key certificate; this can be a lengthy process, given the need to process multiple certificate chains and revocation lists. Fourthly, every participating user is required to possess the encryption and decryption capabilities of a reversible public key cryptosystem. There may be a risk of such cryptographic capabilities being used for unintended encryption purposes.
The present invention addresses these problems and others which will become apparent in the following detailed description. The invention relates to a key distribution method which enables an encryptor of a data item to specify, in terms of any desired access control model, the set of authorized decryptors. The present invention makes use of trusted servers called key release agents. While the invention is not restricted to use within any particular application environment, it is most naturally applicable to environments where broad user populations inherently have access to encrypted information, e.g., file servers, bulletin boards, or groupware applications.
The present invention also provides for controlled release of decryption keys under special circumstances, such as authorized interception by law enforcement agencies. This can be achieved by building a special key release condition into the key release agent's decision process. When used for this purpose, the present invention overcomes deficiencies apparent in the key-escrow system described in the U.S. Government FIPS 185 Escrowed Encryption Standard which addresses the same requirements.